b'                      National Archives and Records Administration\n                                                                                        8601 Adelphi Road\n                                                                       College Park, Maryland 20740-6001\n\n\nDate       :    December 21, 2005\n\nReply to\nAttn of    :    Office of Inspector General (OIG)\n\nSubject    :    Audit Memorandum 06-07, Evaluation of Management Control Program for FY 2005\n\nTo         :   Allen Weinstein, Archivist of the United States (N)\n\n           Our review of the National Archives and Records Administration\xe2\x80\x99s (NARA\xe2\x80\x99s) Management\n           Control Program for FY 2005 has been completed. The OIG performs this review annually to\n           ensure that agency managers continuously monitor and improve the effectiveness of\n           management controls associated with their programs. This continuous monitoring, and other\n           periodic evaluations, provides the basis for the Archivist\xe2\x80\x99s annual assessment of, and report on\n           management controls, as required by the Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA).\n\n           We found that NARA\xe2\x80\x99s assurance statement was adequately supported and complied with the\n           intentions of FMFIA and OMB Circular A-123, Management Accountability and Control.\n           Pursuant to Section 4 of FMFIA, the financial subsystems of NARA generally conform to the\n           objectives detailed in the revised OMB Circular A-127, Financial Management Systems.\n           Although some systems are not in complete conformance because they fail to meet the\n           financial management system requirement, the nonconformances are not deemed material.\n           Because no recommendations are being made, we felt it would be more appropriate to provide\n           the results of our effort through an audit memorandum rather than a more formal reporting\n           process.\n\n           The purpose of our evaluation was to determine the extent to which there is sufficient\n           evidence that NARA complied with the requirements of the FMFIA, OMB Circular A-123,\n           OMB A-127, and NARA 114, Management Controls to support the Archivist\xe2\x80\x99s FY 2005\n           assurance statement to the President and Congress.\n\n           To accomplish our objective, we examined the assurance statements and related management\n           control evaluation documents submitted by NARA office heads in support of their assurance\n           statements and in accordance with NARA 114. We performed a detailed review on the\n           assurance statements of five major program offices: Office of Administration (NA), Office of\n           Information Services (NH), Office of Presidential Libraries (NL), Office of Regional Records\n           Services (NR) and Office of Records Services (NW), while performing a desk audit on the\n           remaining offices\xe2\x80\x99 assurance statements. We reviewed the related evaluation files to assess\n           the timeliness and adequacy of actions planned and taken in response to recommendations\n           from evaluations completed in both the current and previous fiscal years.\n\n\n\n                                                      1\n                                 National Archives and Records Administration\n\x0cWe compared information in the evaluation files to assess the accuracy of information\nreported in the assurance statements. We interviewed the NARA management control officer,\nand management control liaisons for each NARA organization. Our review revealed the\nfollowing four issues.\n\nInaccurate Information Reported\n\nOur review noted three instances where inaccurate information was reported in management\xe2\x80\x99s\nassurance statements to the Archivist. This condition resulted from lack of communication\nbetween management control liaisons and program offices. This could result in the Archivist\nreporting inaccurate information in the agency assurance statement.\n\nIn the first instance, NR reported in Enclosure C, Description of Material Weakness in\nManagement Controls, that the Radio Frequency Identification Tag (RFID) technology testing\nwas completed in FY 2005. NR also states the study concluded the RFID technology was not\na viable option.\n\nAt the end of FY 2004, NARA hired a contractor to determine if using RFID technologies\nwould be a viable solution to tracking documents and artifacts, thereby reducing the risks of\ntheft and misfiling. The contract was awarded on September 23, 2004, with a performance\nperiod of September 27, 2004, to March 26, 2005. As of October 2005, the contractor has not\nsubmitted its first deliverable, which is the project management plan. This plan should\ninclude a project schedule and a written methodology plan. After further discussion with the\nmanagement control liaison for NR and NW, we learned the project is technically still\non-going. However, the contractor failed to perform in a reasonable time frame and NARA is\nconsidering canceling the contract.\n\nAccording to NR\xe2\x80\x99s management control liaison, the project was complete because, \xe2\x80\x9cfor all\npractical purposes, NARA will not continue to pursue this technology.\xe2\x80\x9d\n\nIn the second instance, NA reported that A-127 reviews on Budget Execution and\nFormulation were completed. After requesting copies of the report, we learned the reviews\nwere not performed. According to the Director of Financial Services Division (NAB), the A-\n127 review on the financial management subsystems were not performed because the service\nwas being performed under another contract. In addition, the management control liaison\nincluded these reviews in the assurance statement because she thought they were completed.\n\nIn the third instance, NH reported they currently have and have tested contingency plans for\nall the systems. After further inquiry, it was determined that contingency plans have not been\ncompleted for two systems. According to the Chief Information Security Officer (CISO), one\nof the systems is not a certified system and therefore does not have a contingency plan.\nHowever, the issue with the other system is being resolved with the system owner. Based on\nthe self assessment, NH\xe2\x80\x99s understanding is there is not a contingency plan because it is not\nrequired. NARA 114.11 states office heads must make an annual assurance statement to the\nArchivist on their system of management controls.\n\n\n\n                                                2\n                           National Archives and Records Administration\n\x0cThe assurance statement must include a list of management evaluations conducted and\nspecific examples of management knowledge used as the basis for the assurance. In NARA\nNotice 2005-229, Assurance Statements for FY 2005, the Archivist states, \xe2\x80\x9cto adequately\nsupport my assurance statement, I must be fully assured that management controls of each\noffice and staff are achieving their intended objectives. I need an assurance statement that\nassesses your management controls. It is very important that you report the status of all\ndeficiencies and weaknesses and identify any material weaknesses as defined.\xe2\x80\x9d\n\nIn preparing the agency\xe2\x80\x99s assurance statement, the Archivist is relying on management\nassurance statements that are not entirely accurate. This could result in the Archivist\ninaccurately reporting to the President and Congress the adequacy and effectiveness of\nmanagement controls in NARA\xe2\x80\x99s programs and administrative activities.\n\nInconsistent Reporting on Open Recommendations\n\nWe noted numerous instances in which program offices reported differently on the status of\nthe same open recommendations. We also noted instances where program offices reported\nOIG reports or recommendations were closed; however, the reports or recommendations\nremain open. NARA 114 states program offices should coordinate before preparing their\nassurance statements to ensure conformity. This could result in the Archivist inaccurately\nreporting to the President and Congress the adequacy and effectiveness of management\ncontrols in NARA\xe2\x80\x99s programs and administrative activities.\n\nOur review revealed that two program offices, NA and NR reported differently on the same\nopen recommendations. NA\xe2\x80\x99s Space and Security Management Division (NASS) performed\nphysical security and life safety audits at several records centers, which resulted in\nrecommendations. These reviews and recommendations are reported on each program office\nassurance statement. The chart below details the report, recommendation, and how each\nprogram office reported the status of the recommendation.\n\nReview/ Date                       Recommendation             NR Status of         NA Status of\n                                                              recommendation       recommendation\nMPRC Physical Security and                   1-4              NR is reporting as   NA is reporting as\nLife Safety Inspection/                                       open                 closed\nFY 2004\nSeattle Physical Security and                  3              NR is reporting as   NA is reporting as\nLife Safety Inspection                                        closed               open\n\n\nPittsfield Physical Security                   1              NR is reporting as   NA is reporting as\nand Life Safety Inspection                                    open                 closed\nBannister Physical Security                    1              NR is reporting as   NA is reporting as\nand Life Safety Inspection                                    open                 closed\nLee Summit Physical and                        1              NR is reporting as   NA is reporting as\nLife Safety Inspection                                        closed               open\n\n\n\n\n                                                    3\n                               National Archives and Records Administration\n\x0cThe following chart details the program offices that reported the incorrect status on OIG open\nitems.\n\nOIG Report        Program Office Status              OIG status\nNo.\nOIG #03-10        NHPRC reported as closed           OIG has recommendation #4 as open;\n                                                     therefore the report is still open\nOIG #03-06        NPOL/NW reported this as           OIG has recommendation #1 as open;\n                  closed                             therefore the report is still open.\nOIG #03-01        NH reported                        OIG has the recommendation as open.\n                  recommendation #4 as\n                  closed\nOIG #04-22        NH reported                        OIG has the recommendation as open.\n                  recommendation #2c as\n                  closed\nOIG 04-23         NH reported                        OIG has the recommendation as open.\n                  recommendation #1 as\n                  closed\nOIG 05-05         NH reported                        OIG has these recommendations as\n                  recommendations 1a & 1b            open.\n                  as closed. NA reported\n                  recommendation #1c as\n                  closed.\nOIG #04-13        NR reported                        OIG has these recommendations as\n                  recommendations #1 &3 as           open.\n                  closed.\n\nManagers and management liaisons are not coordinating their responses with NA or NPOL\nbefore preparing their assurance statements to ensure conformity with inspections performed\nby NA or OIG. The failure to properly monitor and report on the status of open\nrecommendations could lead to inaccuracies in the Archivist\xe2\x80\x99s assurance statement to the\nPresident.\n\nSupporting Documentation Not Maintained\n\nAt least on one occasion, we noted documentation was not maintained to support statements\nreported in the program assurance statements. NARA 114 states management control\nassessments must be documented in writing. Supporting documentation was not prepared\nbecause the audit conducted by the program office ISOO did not reveal any exceptions.\nWithout the proper support documentation, we are unable to verify if the program office\nactually performed the review as stated.\n\nISOO\xe2\x80\x99s assurance statement reports an audit of credit card records was completed for two\npurchase card holders. After requesting a copy of the report, we later learned a report was not\nprepared. ISOO\xe2\x80\x99s management control liaison stated the credit card audit was performed on\none purchase card holder. Since everything was in place, no formal report was written.\n\n\n                                                 4\n                            National Archives and Records Administration\n\x0cThe management control liaison reported the results of the audit in a staff meeting; however,\nnotes from the staff meeting are not maintained.\n\nNARA 114 states management control assessments must be documented in writing, either in\nthe body of the report or in other materials maintained in the management control assessment\nfile. OMB A-123 states documentation for transactions, management controls, and other\nsignificant events must be clear and readily available for examination. Without clear and\nreadily available documentation, we are unable to determine if the information reported in the\nassurance statement is accurate.\n\nLack of Management Control Plan\n\nOne program office did not prepare a management control plan. According to NARA 114,\neach office head must develop and update a management control plan.\n\nNEEO does not have a management control plan. NARA 114 states, that to ensure that\nappropriate action is taken throughout the year to meet the objectives of FMFIA, each office\nhead must develop and update a written management control plan. The management control\nplan must include a list of critical functions, operations and programs, and must document the\nfrequency with which management control in these critical areas will be reviewed. The plan\nshould be used as a framework for planning future reviews. Since the most critical function of\npossible vulnerability of NEEO is the processing of EEO complaints of discrimination, the\nDirector of EEO and Diversity Programs finds it unnecessary to develop a specific\nmanagement control plan. Without a specific management control plan, the program office\nmay fail to perform the required program reviews, which serve as the basis for the agency\xe2\x80\x99s\nassurance statement.\n\nAs a result of a meeting concerning these conditions, NARA\xe2\x80\x99s Management Control Liaison\nhas agreed to work with liaisons in each office to ensure accurate information is reported,\nreporting on recommendations is consistent, supporting documentation is maintained and\nmanagement control plans are documented.\n\nClifton Gunderson also performed A-123 and A-127 reviews as part of the financial statement\naudit. They did not report any findings but made several suggestions. The NARA\nManagement Control Liaison agreed to review and implement these suggestions where\napplicable.\n\nThis evaluation was performed in accordance with generally accepted government auditing\nstandards from September 2005 through December 2005 at Archives II in College Park,\nMaryland. Should you or your staff have any questions, or require additional information,\nplease contract James Springs or me at (301) 837-3000.\n\n\n\nPaul Brachfeld\nInspector General\n\n\n\n                                                5\n                           National Archives and Records Administration\n\x0c'